Title

The USB usage section of the SFUG, or equivalent document, does not contain a discussion of the devices that contain persistent non-removable memory. (Cat III impact)

Discussion

Without a discussion of tthe devices that contain persistent non-removable memory, an uninformed user can mistakenly attach such a device to an IS leading to the denial of service caused by an infection of the IS and possibly the network with malicious code. Additionally the user might compromise sensitive data thinking that removal of a memory card removed all the persistent memory within a device. The IAO will ensure that the USB usage section of the SFUG contains a discussion of the devices that contain persistent non-removable memory.

Check Content

The reviewer will interview the IAO and review the relevant documentation. The discussion should point out that with some devices it may not be obvious that it contains persistent non-removable memory and that, if there is a doubt, it will be treated as if it contains persistent memory.

Fix Text

Develop, update, and distribute a SFUG section on USB devices that discusses devices that may contain persistent non-removable memory in accordance with the SPAN STIG.

Additional Identifiers

Rule ID: SV-6997r1_rule

Vulnerability ID: V-6775

Group Title: USB SFUG Persistent Non-Removable Memory

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.